A phone without a phone number is like a body without life. Phone numbers play a vital role in managing the telephone network. Each subscriber will be given a unique number to communicate with others. As all of you know, the number will only be active until the end of the subscription. What does happen after the subscription period? Those used phone numbers will be opened for new subscribers to use. Telephone companies are forced to do this because phone numbers are finite, subscribers are increasing every day. Now, it’s a challenge for telecom companies to provide a unique number for each subscriber. So the companies don’t want to leave the unused phone numbers. But, this recycling process has lead to many security and privacy issues. Let’s look at what are the security issues with recycled phone numbers and how users can try avoiding them by adhering to simple guidelines.
Common Reasons to Give Up or Lose Phone Number:
According to the Federal Communications Commission (FCC), around 35 million phone numbers in the U.S keep disconnecting every year. People lose or leave their phone numbers for various reasons:
People leave their phone numbers majorly for these three reasons:
- Switch to a new carrier.
- Cancel telephone service for reasons like moving out of the country, or switching to a job-provided phone number.
- Switch to a more desirable number
People lose their phone numbers majorly for these three reasons:
- Violation of service terms
- Not used for a very long time.
At last, the reason could be anything. Ultimately, it encourages the service providers to allot these unused numbers to other subscribers.
8 Security Issues With Recycled Phone Numbers:
The actual risk of recycled phone numbers is not just associated with the carrier companies. The security issues started when third-party applications like banking, shopping, and travel started using SMS service as part of authentication, considering phone numbers as a unique identity of their users. SMS authentication is the method of sending a One Time Passcode (OTP) to the subscriber’s phone via an SMS text message or a phone call. This type of authentication is vulnerable to phone line changes because they are tied to a phone number and the associated cellular service. Let’s see all the possible security issues with Recycled phone numbers in this section.
#1. PII Indexing:
In this type of attack, the attacker tries to find the available phone numbers on the carrier’s or seller’s websites and tries to find the previous owner’s PII information from various people’s search services. Suppose the attacker is able to find the previous owner’s information linked with any of the available numbers. In that case, he can impersonate a previous owner and can try phishing attacks or commit fraud. This type of attack will mostly affect previous owners and their friends & family.
#2. Account Hijackings Via Recovery:
Initially, the attacker tries to find any existing online accounts (e.g., social media, email, e-commerce) linked with available recycled phone numbers. If they find any active accounts, they can easily reset the passwords using SMS authentication or SMS password recovery and gain account access. You may know what and all attackers can do if they hijack your online account. As in PII indexing attacks, these attacks will affect previous owners or associates.
#3. Account Hijackings Without Password Reset:
As the name says, attackers try to do everything possible to obtain the password. As said in the earlier two attacks, attackers search for the online account linked with recycled phone numbers. Once if they have this data in their hand, they gather all available information from people’s search services. Attackers try to buy the leaked or breached account credentials from the cybercriminal marketplace. If they are lucky enough, they can gain access to the online account without SMS 2FA authentication. Previous owners, friends, and family of previous owners are mostly affected by this attack.
#4. Targeted Takeover:
In this attack, the attacker keeps note of the number of change messages and notifications which was shared by his friends, colleagues, partners, and clients. Later tried to own the number when it was available after a long period of waiting time. This allows him to try SMS authentication attacks and hijack their online accounts. The attacker can use the compromised accounts for impersonation, fraud, stealing personal information, and anything he wishes. A person who changes phone numbers often is vulnerable to this attack.
The attacker keeps monitoring the recycled numbers and waits until someone owns the numbers. Then attacker tries to phish the subscriber through SMS. (e.g., “Welcome to your new service. Click here to enable high-speed data for your account”). It is easy to fool the victims with a welcome offer. This way, attackers open a pitfall for victims. Previous owners are safe from these attacks. But new subscribers will fall into the trap. Attackers can send malware and 0-day exploits and can take the device under their control with successful phishing attacks.
#6. Persuasive Takeover:
In this attack, the attacker keeps monitoring the available numbers and waits until the number is allotted to someone. The attacker disguises himself as a carrier service and sends a text like, “This phone number is part of an ongoing investigation, and needs to be reclaimed. Please change this number”. When the subscriber release the number, the attacker buys the number after aging time, this lets him commit SMS authentication attacks on the previous owner’s online account and hijack them. A new subscriber who has been assigned the number will be affected by this attack.
The attacker intentionally buys a phone number and subscribes to multiple services like newsletters, campaigns, and robocalls, and surrenders the number for the recycling process. The victim will be folded with a lot of unwanted messages and calls.
#8. Denial of Service:
Here, attackers buy phone numbers and register with all popular online services that ask for a unique identity. The attacker releases the phone number for the recycling process. When another subscriber buys the number and tries to register the same online service, the service denies it as the number is already registered with them. The attacker can contact the owner of the number and can ask for a ransom to release the number.
Practical Case Study on Security Issues With Recycled Phone Numbers:
They sampled 259 phone numbers available to new subscribers at two major carriers (Verizon & T-Mobile) and found that 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked. Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. They also found design weaknesses in carriers’ online interfaces and number recycling policies that could facilitate attacks involving number recycling. You can download the full research paper here:
What Can Carriers Do to Counter Security Issues With Recycled Phone Numbers?
#1. Issue Warning Message of Recycling Their Phone Number:
Carrier service should issue a warning message and educate subscribers about all the associated potential security issues with recycled phone numbers before subscribers initiate the number change process. This gives an opportunity to unsubscribe from any online services associated with the number.
#2. The Carrier Should Make the Number Change Policy Public:
Carriers should document the number change policy with clear timelines. The policy should have clearly written how much time it takes to initiate the process, when the subscriber would lose access to their number, How long their number should be kept suspended, a clear timeline to regain access, and at last, how much time it takes to recycle the number for new subscribers.
#3. Impose Limits on Online Phone Number Inquiries:
Carriers should place some restrictions on online inquiries. The best practice is not to expose the full number to the public on the web. Carriers can display a portion of the number and ask to contact customer service to confirm the number availability.
#4. Limit the Online Phone Number Change Request:
Carriers can impose two types of limits on online phone number changes. They can implement a locking period, lock the number change process for a certain period for new subscribers, and also restrict the number of change requests for quite a long time. Somehow carriers have to learn not to entertain frequent number change processes.
#5. Carriers Should Offer Number Parking Service for Inactive Subscribers:
Suppose a subscriber doesn’t want to use their number for some amount of time for reasons like going abroad for studies or a job. They should be given an opportunity to keep their number until they return to their homeland. There is some service that is readily offering this service. We recommend this service be followed as a mandate by all the carrier services.
What Can Websites Do to Counter Security Issues With Recycled Phone Numbers?
#1. Websites Should Replace the SMS Authentication Process With Email Authentication Process:
All website owners or vendors should stop using the phone number as a user’s unique identity and start replacing phone numbers with email IDs because email authentication is more secure than SMS authentication because email IDs can’t be recycled like phone numbers.
#2. Monitor User’s Login and Alert Users for Suspicious Logins:
Websites should monitor users’ login time and geolocation. Time and location are considered vital parameters to determine security breaches and abnormalities. For example, a single user can’t log in from different geolocation at the same time. It’s a breach.
#3. Websites Should Ask Users to Confirm Email IDs for Every Time Interval:
Websites should ask users to confirm their primary and alternate email ID and phone numbers to confirm for every time interval. This ensures the user detects any changes made without their knowledge.
What Can Subscribers Do to Counter Security Issues With Recycled Phone Numbers?
- Subscribers should avoid changing phone numbers over and over.
- Subscribers should use email authentication in place of SMS authentication.
- Update their new number in all their online accounts.
- Avoid unnecessarily sharing PII.
- Subscribers are recommended to set up a soft token service.
- Avoid password reuse and SMS recovery.
- Utilize the number parking service if required.
- Ignore and report phishing & spam messages to their Carrier.
- Avoid clicking on links. Call the carrier to verify.
As a regulated industry practice, phone number recycling is unlikely to cease. We highlighted eight different security issues with recycled phone numbers and empirically listed the countermeasures from Carrier, website, and user’s paradigm. We recommend all three entities be carefully read in this article and learn the seriousness before falling into the victim’s pitfall.